HomeFreeBSD

jail: Fix information leak.

Description

jail: Fix information leak.

There is a lack of proper visibility checking in kern.ttys sysctl handler
which leads to information leak about processes outside the current jail.

This can be demonstrated with pstat -t: when called from within a jail,
it will output all terminal devices including process groups and
session leader process IDs:

jail# pstat -t | grep pts/ | head

	      LINE   INQ  CAN  LIN  LOW  OUTQ  USE  LOW   COL  SESS  PGID STATE
	     pts/2  1920    0    0  192  1984    0  199     0  4132 27245 Oi
	     pts/3  1920    0    0  192  1984    0  199    16 24890 33627 Oi
	     pts/5     0    0    0    0     0    0    0    25 17758     0 G
	    pts/16     0    0    0    0     0    0    0     0 52495     0 G
	    pts/15     0    0    0    0     0    0    0    25 53446     0 G
	    pts/17     0    0    0    0     0    0    0  6702 33230     0 G
	    pts/19     0    0    0    0     0    0    0    14  1116     0 G
	     pts/0     0    0    0    0     0    0    0     0  2241     0 G
	    pts/23     0    0    0    0     0    0    0    20 15639     0 G
	     pts/6     0    0    0    0     0    0    0     0 44062 93792 G

jail# pstat -t | grep pts/ | wc -l

	      85

Devfs does the filtering correctly and we get only one entry:

jail# ls /dev/pts/
2

Approved by: mzaborski, secteam
MFC after: 1 week
Sponsored by: Fudo Security
Approved by: so
Security: FreeBSD-SA-24:02.tty
Security: CVE-2024-25941

(cherry picked from commit f1d0a0cbecf2c688061f35adea85bfb29c9ec893)
(cherry picked from commit a376108029a20f4ce51476d98f2483a7008ce7b5)

(cherry picked from commit 41ac0b4ce00bae061164384f23356a4df6e0e695)
(cherry picked from commit 9bff7ec98354a76c171905ce9530f85685725ee7)

Details

Provenance
pjdAuthored on Jan 17 2024, 5:43 PM
gordonCommitted on Feb 14 2024, 5:48 AM
Parents
rG48598b1670ce: bhyveload: use a dirfd to support -h
Branches
Unknown
Tags
Unknown